Discussion:
Deleting computer accounts using System.DirectoryServices
(too old to reply)
S Garratt
2005-01-28 16:21:03 UTC
Permalink
I've created a group and delegated authority to it to Delete Computer Objects
and Delete child objects of computer objects and I've put a user account into
the group. To test it, I've started AD Users & Computers using Runas with
the user account and I've been able to delete a computer account.

I have a problem with this code:

Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.

When I use the account referred to above, the code returns an "Access is
denied" error. When I substitute in my Domain Admin credentials, it works
fine.
S Garratt
2005-01-31 11:21:03 UTC
Permalink
Whoops! I seem to have truncated the last bit of my post.

I've created a group and delegated authority to it to Delete Computer Objects
and Delete child objects of computer objects and I've put a user account into
the group. To test it, I've started AD Users & Computers using Runas with
the user account and I've been able to delete a computer account.

I have a problem with this code:

Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.

When I use the account referred to above, the code returns an "Access is
denied" error. When I substitute in my Domain Admin credentials, it works
fine. Can anyone suggest the critical difference between the accounts? Is
it something to do with kerberos delegation?
Joe Kaplan (MVP - ADSI)
2005-01-31 18:54:10 UTC
Permalink
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials (recursive
delete)?

I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always worth
doing if you can though.

Joe K.
Post by S Garratt
Whoops! I seem to have truncated the last bit of my post.
I've created a group and delegated authority to it to Delete Computer Objects
and Delete child objects of computer objects and I've put a user account into
the group. To test it, I've started AD Users & Computers using Runas with
the user account and I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access is
denied" error. When I substitute in my Domain Admin credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is
it something to do with kerberos delegation?
S Garratt
2005-02-01 14:25:04 UTC
Permalink
I tried the Recursive delete in LDP and got this: (domain name changed to
protect the innocent!) i.e. it worked.

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'NULL'.
deleting "CN=dt-simon-ldp,CN=Computers,DC=child,DC=test,DC=co,DC=uk"...
deleted 1 entries

Frankly, I tried all of the AuthenticationTypes (in desperation) to no
avail. I've added AuthenticationType.Secure as you suggested but I'm still
getting Access is denied.
Post by Joe Kaplan (MVP - ADSI)
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials (recursive
delete)?
Post by Joe Kaplan (MVP - ADSI)
I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always worth
doing if you can though.
Joe K.
Post by Joe Kaplan (MVP - ADSI)
I've created a group and delegated authority to it to Delete Computer
Objects and Delete child objects of computer objects and I've put a user
account into the group. To test it, I've started AD Users & Computers using
Runas with the user account and I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access is
denied" error. When I substitute in my Domain Admin credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is
it something to do with kerberos delegation?
Joe Kaplan (MVP - ADSI)
2005-02-01 15:45:19 UTC
Permalink
Do you get the same results in ldp.exe when you bind with the exact same
credentials you use in your S.DS code? It looks like you used default
credentials in ldp (unless you changed them for the posting).

Like I said, this should work. I'm not sure what else to tell you to try.

Joe K.
Post by S Garratt
I tried the Recursive delete in LDP and got this: (domain name changed to
protect the innocent!) i.e. it worked.
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'NULL'.
deleting "CN=dt-simon-ldp,CN=Computers,DC=child,DC=test,DC=co,DC=uk"...
deleted 1 entries
Frankly, I tried all of the AuthenticationTypes (in desperation) to no
avail. I've added AuthenticationType.Secure as you suggested but I'm still
getting Access is denied.
Post by Joe Kaplan (MVP - ADSI)
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials (recursive
delete)?
Post by Joe Kaplan (MVP - ADSI)
I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always worth
doing if you can though.
Joe K.
Post by Joe Kaplan (MVP - ADSI)
I've created a group and delegated authority to it to Delete Computer
Objects and Delete child objects of computer objects and I've put a user
account into the group. To test it, I've started AD Users & Computers using
Runas with the user account and I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access is
denied" error. When I substitute in my Domain Admin credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is
it something to do with kerberos delegation?
S Garratt
2005-02-02 11:25:03 UTC
Permalink
Ah, forgot to mention that I ran ldp using RunAs with the limited ID and used
default credentials which, I think, is effectively the same. Just to be
sure, I reran ldp without using RunAs and with the limited ID in the Bind and
got the same result:

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='delcompacc'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'delcompacc'.
deleting "CN=dt-simon-fred,OU=VI
Computers,OU=VI,OU=HO,DC=child,DC=root,DC=co,DC=uk"...
deleted 1 entries
Post by Joe Kaplan (MVP - ADSI)
Do you get the same results in ldp.exe when you bind with the exact same
credentials you use in your S.DS code? It looks like you used default
credentials in ldp (unless you changed them for the posting).
Like I said, this should work. I'm not sure what else to tell you to try.
Joe K.
Post by S Garratt
I tried the Recursive delete in LDP and got this: (domain name changed to
protect the innocent!) i.e. it worked.
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'NULL'.
deleting "CN=dt-simon-ldp,CN=Computers,DC=child,DC=test,DC=co,DC=uk"...
deleted 1 entries
Frankly, I tried all of the AuthenticationTypes (in desperation) to no
avail. I've added AuthenticationType.Secure as you suggested but I'm
still getting Access is denied.
Post by Joe Kaplan (MVP - ADSI)
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials
(recursive delete)?
Post by Joe Kaplan (MVP - ADSI)
I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always
worth doing if you can though.
Joe K.
Post by Joe Kaplan (MVP - ADSI)
I've created a group and delegated authority to it to Delete Computer
Objects and Delete child objects of computer objects and I've put a
user account into the group. To test it, I've started AD
Users & Computers using Runas with the user account and
I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access
is denied" error. When I substitute in my Domain Admin
credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is it something to do with kerberos delegation?
Joe Kaplan (MVP - ADSI)
2005-02-02 19:03:46 UTC
Permalink
I can't think of what else to tell you. There are "magical" ways that you
can get to see if you have rights to add a object to the tree or modify
certain attributes, but I don't know of an easy way to test for delete
permissions along those same lines. It seems like this should work.

I'd suggest going to MS PSS and putting in a support call there. Perhaps
they can figure it out. If the security contexts are the same, the behavior
should be the same as well. I'm out of ideas.

Sorry,

Joe K.
Post by S Garratt
Ah, forgot to mention that I ran ldp using RunAs with the limited ID and used
default credentials which, I think, is effectively the same. Just to be
sure, I reran ldp without using RunAs and with the limited ID in the Bind and
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='delcompacc'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'delcompacc'.
deleting "CN=dt-simon-fred,OU=VI
Computers,OU=VI,OU=HO,DC=child,DC=root,DC=co,DC=uk"...
deleted 1 entries
Post by Joe Kaplan (MVP - ADSI)
Do you get the same results in ldp.exe when you bind with the exact same
credentials you use in your S.DS code? It looks like you used default
credentials in ldp (unless you changed them for the posting).
Like I said, this should work. I'm not sure what else to tell you to try.
Joe K.
Post by S Garratt
I tried the Recursive delete in LDP and got this: (domain name changed to
protect the innocent!) i.e. it worked.
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'NULL'.
deleting "CN=dt-simon-ldp,CN=Computers,DC=child,DC=test,DC=co,DC=uk"...
deleted 1 entries
Frankly, I tried all of the AuthenticationTypes (in desperation) to no
avail. I've added AuthenticationType.Secure as you suggested but I'm
still getting Access is denied.
Post by Joe Kaplan (MVP - ADSI)
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials
(recursive delete)?
Post by Joe Kaplan (MVP - ADSI)
I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always
worth doing if you can though.
Joe K.
Post by Joe Kaplan (MVP - ADSI)
I've created a group and delegated authority to it to Delete Computer
Objects and Delete child objects of computer objects and I've put a
user account into the group. To test it, I've started AD
Users & Computers using Runas with the user account and
I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access
is denied" error. When I substitute in my Domain Admin
credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is it something to do with kerberos delegation?
S Garratt
2005-02-03 08:43:03 UTC
Permalink
Thanks for your help, Joe. If I get it sorted, I'll post the solution in here.
Post by Joe Kaplan (MVP - ADSI)
I can't think of what else to tell you. There are "magical" ways that you
can get to see if you have rights to add a object to the tree or modify
certain attributes, but I don't know of an easy way to test for delete
permissions along those same lines. It seems like this should work.
I'd suggest going to MS PSS and putting in a support call there. Perhaps
they can figure it out. If the security contexts are the same, the behavior
should be the same as well. I'm out of ideas.
Sorry,
Joe K.
Post by S Garratt
Ah, forgot to mention that I ran ldp using RunAs with the limited ID and used
default credentials which, I think, is effectively the same. Just to be
sure, I reran ldp without using RunAs and with the limited ID in the Bind and
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='delcompacc'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'delcompacc'.
deleting "CN=dt-simon-fred,OU=VI
Computers,OU=VI,OU=HO,DC=child,DC=root,DC=co,DC=uk"...
deleted 1 entries
Post by Joe Kaplan (MVP - ADSI)
Do you get the same results in ldp.exe when you bind with the exact same
credentials you use in your S.DS code? It looks like you used default
credentials in ldp (unless you changed them for the posting).
Like I said, this should work. I'm not sure what else to tell you to try.
Joe K.
Post by S Garratt
I tried the Recursive delete in LDP and got this: (domain name changed to
protect the innocent!) i.e. it worked.
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='NULL'; Pwd= <unavailable>; domain = 'NULL'.}
Authenticated as dn:'NULL'.
deleting "CN=dt-simon-ldp,CN=Computers,DC=child,DC=test,DC=co,DC=uk"...
deleted 1 entries
Frankly, I tried all of the AuthenticationTypes (in desperation) to no
avail. I've added AuthenticationType.Secure as you suggested but I'm
still getting Access is denied.
Post by Joe Kaplan (MVP - ADSI)
This should work in code if the exact same thing works in AD U&C. If you
try the operation in ldp.exe, does it work with those credentials
(recursive delete)?
Post by Joe Kaplan (MVP - ADSI)
I'd suggest adding AuthenticationTypes.Secure to your DirectoryEntry binds
in general, but I'm not sure that is the problem here. It is always
worth doing if you can though.
Joe K.
Post by Joe Kaplan (MVP - ADSI)
I've created a group and delegated authority to it to Delete Computer
Objects and Delete child objects of computer objects and I've put a
user account into the group. To test it, I've started AD
Users & Computers using Runas with the user account and
I've been able to delete a computer account.
Dim computerAccount As New DirectoryEntry("LDAP://" & _
distinguishedNameValue, _
deleteComputerAccountUser, _
deleteComputerAccountPassword)
Try
computerAccount.DeleteTree()
etc.
where distinguishedNameValue, deleteComputerAccountUser &
deleteComputerAccountPassword are exactly what they sound like.
When I use the account referred to above, the code returns an "Access
is denied" error. When I substitute in my Domain Admin
credentials, it works
fine. Can anyone suggest the critical difference between the accounts?
Is it something to do with kerberos delegation?
Continue reading on narkive:
Search results for 'Deleting computer accounts using System.DirectoryServices' (Questions and Answers)
4
replies
How do I reset a Mac os 2008 computer to factory default?
started 2013-09-02 01:31:31 UTC
laptops & notebooks
Loading...